Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extracting restricted_to into a reference to an array of strings #2841

Open
lubosek opened this issue Jun 28, 2023 · 0 comments
Open

Extracting restricted_to into a reference to an array of strings #2841

lubosek opened this issue Jun 28, 2023 · 0 comments
Labels
kind/bug

Comments

@lubosek
Copy link

lubosek commented Jun 28, 2023
edited

Summary

Extracting restricted_to into a reference to an array of strings (so I can reuse it for multiple hosts) throws validation error although as a YAML it's valid.
I wanted to reuse the anchor with allowed_ip_ranges (see below) for multiple hosts.

Steps to Reproduce

  1. Create policy with array of CIDRs in an anchor:
- !policy
  id: our-vault
  body:
    - &allowed_ip_ranges
      - 10.62.0.0/16 
      - 10.208.0.0/16 
      - 10.63.80.0/24

    - !host
      id: machine
      restricted_to: *allowed_ip_ranges

    - &secrets
      - !variable
        id: vault-password

    - !permit
      role: !host machine
      privileges:
        - read     # the host can retrieve the names of the variables
        - execute  # the host can retrieve the values of the variables
      resource: *secrets
  1. Load the policy to conjur

Expected Results

Policy is parsed successfully and allowed_ip_ranges array values are used as restricted_to

Actual Results

Following error is returned:

{
  "error": {
    "code": "validation_failed",
    "message": "policy_text undefined method `referenced_records' for \"10.62.0.0/16\":String",
    "details": [
      {
        "code": "validation_failed",
        "target": "policy_text",
        "message": "undefined method `referenced_records' for \"10.62.0.0/16\":String"
      }
    ]
  }
}

Reproducible

Always

Version/Tag number

{
  "release": "12.7.0",
  "version": "5.16.12-20",
  "services": {
    "ldap-sync": {
      "desired": "i",
      "status": "i",
      "err": null,
      "description": "Conjur",
      "name": "conjur-ldap-sync",
      "version": "2.4.1",
      "arch": "amd64"
    },
    "possum": {
      "desired": "i",
      "status": "i",
      "err": null,
      "description": "Conjur",
      "name": "conjur-possum",
      "version": "1.18.3-3057",
      "arch": "amd64"
    },
    "ui": {
      "desired": "i",
      "status": "i",
      "err": null,
      "description": "Conjur",
      "name": "conjur-ui",
      "version": "2.14.2-1662",
      "arch": "amd64"
    }
  }
...

Additional Information

Seems that YAML anchors work just fine for variable and host arrays.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lubosek